12895: Rekeying and Renewing Your Expired Digital Certificates in RACF Hands-on Lab Intro

Transcription

1 12895: Rekeying and Renewing Your Expired Digital Certificates in RACF Hands-on Lab Intro Gwen Dente, IBM Advanced Technical Skills Tuesday, February 5, 2013: 09:30 AM - 10:30 AM, HIL, Union Square 23-24, Fourth Floor Session Number In this 1 st Document: Read Descriptions of 2 required Scenarios (pp. 9-12). Find your team s IPv4 interfaces and addresses (pp ). In the 2 nd Document: Lab starts on page 15 1

2 Abstract You finally succeeded in establishing a secure environment for FTP on z/os using security certificates and keyrings. But you forgot one thing: certificates and keys can expire and no longer be usable. In this lab you will learn how to manage your keys and certificates in order to avoid downtime incurred due to expired certificates. PREREQUISITE: This lab is self-driven and assumes that the attendee already understands x.509 certificate processing and Public Key Infrastructure. The knowledge can be gained by lectures or through previous experience. 2

3 Student MVSn Tests with MVS1; 2 Student TCP/IP Stacks (TCPIPT,TCPIPG) MVS1 MVSn = Student MVS Systems (MVS2-MVS7) z/vm HOST MACHINE LEGEND: n represents MVS suffix (1-7) Example: MVSn = MVS1-7 Example: 8n = MVS1 TCPIP1 TCPIPT TCPIPG MVS2 TCPIP1 TCPIPT TCPIPG MVS3 TCPIP1 TCPIPT TCPIPG MVS4 TCPIP1 TCPIPT TCPIPG MVS5 TCPIP1 TCPIPT TCPIPG MVS6 TCPIP1 TCPIPT TCPIPG MVS7 TCPIP1 TCPIPT TCPIPG 1 telnet n on TCPIP1 2 Analyze and test TCPIPT or TCPIPG LEGEND: 8n = to access TCPIP1 9n = to access TCPIPT 10n = to access TCPIPG 1. Telnet into Maintenance Stack (TCPIP1) at the MVSn Guest Machine. A. Initialize and Test your TCPIPT or TCPIPG stack with the instructor profile. B. Edit TCP/IP configurations for Test Stack (TCPIPT or TCPIPG) with ISPF editor under TSO 2. Initialize and Test your TCPIPT or TCPIPG with your new profile. 3. You will test your connections against the Instructor MVS: MVS1. 3

4 Scenarios for Testing between MVS1 & Student MVSn Instructor MVS1 Policy Agent (AT-TLS Policies) TCPIP IPv4 Network TN3270 Connection n Student MVS2 MVS7 TCPIP n Policy Agent (AT-TLS Policies) FTP Client on TCPIPT at OSA, VLINK1, VLINK2 (USERn01) Refresh & Test Expired Certificates FTPT Server on TCPIPT at OSA, VLINK1, VLINK2 Administrator: USERn1 FTP Client on TCPIPG at OSA, VLINK1, VLINK2 (USERn02) Refresh & Test Expired Certificates FTPG Server on TCPIPG at OSA, VLINK1, VLINK2 Administrator: USERn2 1. Test successful secured FTP client connection from MVS1 to your AT-TLS FTP Server at TCPIPT or TCPIPG stack in MVSn. Testing between Source and Destination OSA Port addresses. 2. Test same connection using expired FTP Server certificate on key ring associated with your FTP Server. 1. Refresh the expired Server certificate and re-test. Testing between Source and Destination VLINK1 addresses. 3. Test same connection again using expired CA and FTP Server certificates on key ring associated with your FTP Server. 1. Refresh both expired certificates and re-test the connection. Testing between Source and Destination VLINK2 addresses. 4

5 Assignment of Student IDs to TCPIPT or TCPIPG Stacks in MVSn TEAMn1 / USERn1 TCPIPT Stack TEAMn2 / USERn2 TCPIPG Stack Primary Userid Alternate Userid Primary Userid Alternate Userid MVS1: USER11 USER101 MVS1: USER12 USER102 MVS2: USER21 USER201 MVS2: USER22 USER202 MVS3: USER31 USER301 MVS3: USER32 USER302 MVS4: USER41 USER401 MVS4: USER42 USER402 MVS5: USER51 USER501 MVS5: USER52 USER502 MVS6: USER61 USER601 MVS6: USER62 USER602 MVS7: USER71 USER701 MVS7: USER72 USER702 n = Suffix of MVS Image Password: gbguser z/os hlq: USER.CS.xxx UNIX Subdirectory: /u/usernx ( nx is suffix of userid) 5

6 Assignment of Student IDs to TCPIPT in MVSn (TEAMn1) TEAMn1 / USERn1 Primary Userid MVS1: USER11 Users at TCPIPT Stack Telnet into TCPIP1 for Maintenance: Alternate Userid USER101 MVS2: USER21 MVS3: USER31 MVS4: USER41 MVS5: USER51 MVS6: USER61 MVS7: USER USER201 USER301 USER401 USER501 USER601 USER701 n = Suffix of MVS Image Password: gbguser z/os hlq: USER.CS.xxx UNIX Subdirectory: /u/usernx ( nx is suffix of userid) 6

7 Assignment of Student IDs to TCPIPG in MVSn (TEAMn2) TEAMn2 / USERn2 Primary Userid MVS1: USER12 Users at TCPIPG Stack Telnet into TCPIP1 for Maintenance: Alternate Userid USER102 MVS2: USER22 MVS3: USER32 MVS4: USER42 MVS5: USER52 MVS6: USER62 MVS7: USER USER202 USER302 USER402 USER502 USER602 USER702 n = Suffix of MVS Image Password: gbguser z/os hlq: USER.CS.xxx UNIX Subdirectory: /u/usernx ( nx is suffix of userid) 7

8 Key Ring Repository Scenarios (Key Rings and their Certificates) 8

9 Two Choices: Renew Expiring Certificate or Replace Private Key Renewing an expiring certificate When a certificate approaches its expiration date, you can renew the certificate and continue using it. You can choose to renew the certificate using the same private key, thereby extending the life of the private key. Retiring a private key Or you can retire the private key and replace it with a new private key (also called certificate rekeying or key rollover). Scenarios In Scenario 1 while using a discrete AT-TLS policy for address ranges for TCPIPT and for TCPIPG your AT-TLS connections work fine. Certificates are still valid. In Scenario 2 and using a 2 nd discrete AT-TLS policy for address ranges for TCPIPT and for TCPIPG your AT-TLS connections fail with SSL Return Code of 401. In Optional Scenario 3 we ask you to rekey ( rollover ) the FTP Server Certificate and test it. In Optional Scenario 4 while using a 3 rd discrete AT-TLS policy for address ranges for TCPIPT and for TCPIPG your AT-TLS connections fail with SSL Return Code of 401. RACF Prerequisites Authorization to the RACDCERT ROLLOVER, GENCERT, GENREQ, ALTER, REKEY commands and the SETROPTS command. Only the Instructor has authorization to the SETROPTS command, but the PROC named SPECUSER can issue the command on a student s behalf. Prior to the class, students are permitted appropriate temporary access to the facility classes for ALTER, REKEY, and ROLLOVER. 9

10 Scenario 1: Successful Key Ring and its Certificates FTP.DATA specifies Server Authentication Only Instructor MVS1 Policy Agent (AT-TLS Policies) TCPIP/Client_RING TCPIP/Client_RING MVS1 MVS1 LABS LABS Certificate Certificate Authority Authority TCPIP FTP Client on TCPIPT at (USERn01) FTP Client on TCPIPG at (USERn02) Student MVS2 MVS7 TCPIP n Policy Agent (AT-TLS Policies) FTPT Server on TCPIPT at n Administrator: USERn1 FTPG Server on TCPIPG at n Administrator: USERn2 FTPD/Server_RING FTPD/Server_RING FTP FTP Server Server on on MVS1-MVS7 MVS1-MVS7 MVS1 MVS1 LABS LABS Certificate Certificate Authority Authority 1. All Key Rings are shared and contain valid and trusted certificates that have not yet expired. 2. Testing between Source and Destination OSA Port addresses: TCPIPT: ; TCPIPG:

11 Scenario 2: Key Ring and Renewal of Expired FTP Server Certificate FTP.DATA specifies Server Authentication Only FTPD/FTPEXPn1_RING FTPServern1 EXP MVS1 LABS Certificate Authority Instructor MVS1 Policy Agent (AT-TLS Policies) TCPIP FTP Client on TCPIPT at (USERn01) FTP Client on TCPIPG at (USERn02) Student MVS2 MVS7 TCPIP n Policy Agent (AT-TLS Policies) FTPT Server on TCPIPT at n Administrator: USERn1 FTPG Server on TCPIPG at n Administrator: USERn2 TCPIP/Client_RING TCPIP/Client_RING MVS1 MVS1 LABS LABS Certificate Certificate Authority Authority SSL RC 401 FTPD/FTPEXPn2_RING FTPServern2 EXP MVS1 LABS Certificate Authority 1. The separate FTP Server Key Rings contain an expired FTP Server Certificate. The FTP Client Ring is shared. 2. You must change the expiration dates for these certificates by RENEWING them. The Public/Private keys remain intact. Addresses are VLINK1 addresses: TCPIPT: ; 11 TCPIPG:

12 Scenario 3 (Optional): Rekeying ( Rollover ) of Personal FTP Server Certificate Instructor MVS1 Policy Agent (AT-TLS Policies) FTP.DATA specifies Server Authentication Only TCPIP Student MVS2 MVS7 TCPIP n Policy Agent (AT-TLS Policies) FTPD/FTPEXPn1_RING FTPServern1 EXP [ FTPServern1 EXP-2 ] MVS1 LABS Certificate Authority FTP Client on TCPIPT at (USERn01) FTPT Server on TCPIPT at n Administrator: USERn1 TCPIP/Client_RING TCPIP/Client_RING MVS1 MVS1 LABS LABS Certificate Certificate Authority Authority FTP Client on TCPIPG at (USERn02) FTPG Server on TCPIPG at n Administrator: USERn2 FTPD/FTPEXPn2_RING FTPServern2 EXP [ FTPServern2 EXP-2 ] MVS1 LABS Certificate Authority 1. The separate FTP Server Certificates are associated with Private Keys that have been compromised. The FTP Client Key Ring is shared. 2. You must correct this certificate with a RENEW and then with a ROLLOVER and test. Addresses are VLINK1 addresses: TCPIPT: ; TCPIPG:

13 Scenario 4 (Optional): Rekeying ( Rollover ) of Certificate Authority & FTP Server Personal Certificates TCPIP/ClientEXPn1_RING ZOSn1 EXPCA [ ZOSn1 EXPCA-2 ] Instructor MVS1 Policy Agent (AT-TLS Policies) FTP.DATA specifies Server Authentication Only TCPIP Student MVS2 MVS7 TCPIP n Policy Agent (AT-TLS Policies) FTPD/FTPCAXn1_RING FTPServern1 EXPCA ZOSn1 EXPCA [ ZOSn1 EXPCA-2 ] FTP Client on TCPIPT at (USERn01) FTP Client on TCPIPG at (USERn02) FTPT Server on TCPIPT at n Administrator: USERn1 FTPG Server on TCPIPG at n Administrator: USERn2 TCPIP/ClientEXPn2_RING ZOSn2 EXPCA [ ZOSn2 EXPCA-2 ] 1. The separate FTP Server Key Rings **and** the separate Client Key Rings contain expired FTP Server and CA certificates. 2. You must RENEW both certificates & REKEY the CA certificate. Then you must test the results with VLINK2 addresses: TCPIPT: ; TCPIPG: FTPD/FTPCAXn2_RING FTPServern2 EXPCA ZOSn2 EXPCA [ ZOSn2 EXPCA-2 ]

14 APPENDIX A: Addresses for MVS1 MVS7 in TCPIPT and TCPIPG 14

15 MVS1 Addresses and (Sub)Networks - Instructor MVS - TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPT: Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 15

16 MVS1 Addresses and (Sub)Networks - Instructor MVS - TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 16

17 Student MVS2 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER21 TSO Password = gbguser UNIX Subdirectory = /u/user21 Telnet to Alternate USERID = USER201 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 17

18 Student MVS2 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER22 TSO Password = gbguser UNIX Subdirectory = /u/user22 Telnet to Alternate USERID = USER202 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 18

19 Student MVS3 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER31 TSO Password = gbguser UNIX Subdirectory = /u/user31 Telnet to Alternate USERID = USER301 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 19

20 Student MVS3 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER32 TSO Password = gbguser UNIX Subdirectory = /u/user32 Telnet to Alternate USERID = USER302 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 20

21 Student MVS4 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER41 TSO Password = gbguser UNIX Subdirectory = /u/user41 Telnet to Alternate USERID = USER401 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 21

22 Student MVS4 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER42 TSO Password = gbguser UNIX Subdirectory = /u/user42 Telnet to Alternate USERID = USER402 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 22

23 Student MVS5 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER51 TSO Password = gbguser UNIX Subdirectory = /u/user51 Telnet to Alternate USERID = USER501 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 23

24 Student MVS5 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER52 TSO Password = gbguser UNIX Subdirectory = /u/user52 Telnet to Alternate USERID = USER502 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 24

25 Student MVS6 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER61 TSO Password = gbguser UNIX Subdirectory = /u/user61 Telnet to Alternate USERID = USER601 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 25

26 Student MVS6 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER62 TSO Password = gbguser UNIX Subdirectory = /u/user62 Telnet to Alternate USERID = USER602 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 26

27 Student MVS7 Addresses and (Sub)Networks TCPIPT At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER71 TSO Password = gbguser UNIX Subdirectory = /u/user71 Telnet to Alternate USERID = USER701 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 27

28 Student MVS7 Addresses and (Sub)Networks TCPIPG At Control or Maintenance TCPIP1: Telnet Address is At Customizable TCPIPG: Student USERID = USER72 TSO Password = gbguser UNIX Subdirectory = /u/user72 Telnet to Alternate USERID = USER702 Static VIPAs: VLINK / 24 VLINK / Base-T OSA Interface: GIG1F/LGIG1F (aka OSDGIG1F) / 24 Dynamic XCF Interfaces (incl. Dynamic HiperSocket): EZASAMEMVS / 24 IQDIOLNK n / 24 Predefined HiperSocket: HSDELNK / 24 Loopback: LOOPBACK / 24 Default Gateway: / 24 28

29 APPENDIX B: Setup Jobs & References 29

30 Instructor-run Jobs Prior to Lab At MVS1: SYS1.CS.CNTL(RACFPSEC) -- against shared RACF Database from one system SYS1.CS.CNTL(RACFP100) -- against shared RACF Database from one system SYS1.CS.CNTL(RACFSIZE) -- against shared RACF Database """"""""" NOTE: Your instructor will already have initialized the following procedures at MVS1 the system from which you will be testing: /s TCPIP1 and /s TN3270 and /s FTPCCL /s PAGENTT /S TCPIPT,PROF=TCPSn1,CS=SYS1 /V TCPIP,TCPIPT,O,SYS1.CS.TCPPARMS(TLSON) /s FTPT,cs=sys1,fdat=ftpSAUTH,data=dat1a /S TCPIPG,PROF=TCPSn2,CS=SYS1 /V TCPIP,TCPIPT,O,SYS1.CS.TCPPARMS(TLSON) /s FTPG,cs=sys1,fdat=ftpSAUTH,data=datag /S tn3270t TN3270T PROC PARMS='CTRACE(CTIEZBTN)',PROF=TN&CL1.A,CS=SYS1, DATA=DAT&CL1.A UNIX Copy Jobs for Policy Agent Setup and Policies at all systems /BACKUP/CSPOLICY/CERTREFRESH/ussCERTREFRESH.sh On Your MVS: 1) Your instructor will also have run one script to clear out the student directories from a previous lab offering. 1) EMPTYCER (copies skeletons into student datasets on unique volumes) 1) Must be run at each MVS: MVS2-MVS7 2) /s TCPIP1 and /s TN3270 and /s FTPCCL 2) /s PAGENTT /S TCPIPT, CS=SYS1,PROF=TCPSn1 /V TCPIP,TCPIPT,O,SYS1.CS.TCPPARMS(TLSON) /s FTPT,cs=sys1,fdat=FTPSAUTH,data=dat1a /S TCPIPG, CS=SYS1,PROF=TCPSn2 /V TCPIP,TCPIPT,O,SYS1.CS.TCPPARMS(TLSON) /s FTPG,cs=sys1,fdat=FTPSAUTH,data=datag FTP.DATA of FTPSAUTH specifies Server Authentication Only OTHER INFORMATION: SCENARIO 1 Command for TEST: ===> ftp -r TLS -f "//'sys1.cs.tcpparms(ftpclsec)'" -p TCPIPT -s /s SPECUSER = procedure to execute SETROPTS with Special User Authority 30

31 Instructor Jobs Used to Create Pre-Existing Certificates and Rings At MVS1 Shared RACF Database: SYS1.CS.CNTL(RACDCLR1) //****FOR EXERCISE ON REKEYING/REFRESHING CA and Server CERTS ********** //* Creates Generic Client Ring with only CA connected to it * //* Creates Individual Client Rings with only CA connected to them * //********************************************************************* SYS1.CS.CNTL(RACDFTPX) //****FOR EXERCISE ON REKEYING/REFRESHING SERVER CERTIFICATES ********* //* TCPIPT: Create Individual Personal Certificate for FTP Server 11 * //* USER11.. USING EXPIRED FTP Server Certificate * //* TCPIPG: Create Individual Personal Certificate for FTP Server 12 * //* USER12.. USING EXPIRED FTP Server Certificate * //********************************************************************* SYS1.CS.CNTL(RACDCAX) //****FOR EXERCISE ON REKEYING/REFRESHING CA and Server CERTS ********* //* TCPIPT: Create CA and FTP Server Certs that are both expired * //* USER11.. USING EXPIRED FTP Server Certificate * //* TCPIPG: Create CA and FTP Server Certs that are both expired * //* USER12.. USING EXPIRED FTP Server Certificate * //********************************************************************* 31

32 Instructor Jobs Used to Create Pre-Existing Certificates and Rings At MVS1 Shared RACF Database: SYS1.CS.CNTL(RACDFTPA) //****FOR EXERCISE ON REKEYING/REFRESHING CA and Server CERTS ******** //* Creates Generic SERVER CERT for FTP SERVER on MVS1-7 * //* Creates Generic SERVER Ring with CACERT and Generic FTP SRVCERT * //****** THIS NEVER NEEDS A CLEANUP ********************************* //******************************************************************** SYS1.CS.CNTL(RACDFTPX) //****FOR EXERCISE ON REKEYING/REFRESHING SERVER CERTIFICATES ********* //* TCPIPT: Create Individual Personal Certificate for FTP Server 11 * //* USER11.. USING EXPIRED FTP Server Certificate * //* TCPIPG: Create Individual Personal Certificate for FTP Server 12 * //* USER12.. USING EXPIRED FTP Server Certificate * //********************************************************************* SYS1.CS.CNTL(RACDCAX) //****FOR EXERCISE ON REKEYING/REFRESHING CA and Server CERTS ********* //* TCPIPT: Create CA and FTP Server Certs that are both expired * //* USER11.. USING EXPIRED FTP Server Certificate * //* TCPIPG: Create CA and FTP Server Certs that are both expired * //* USER12.. USING EXPIRED FTP Server Certificate * //********************************************************************* 32

33 Instructor Jobs Used to Create Pre-Existing Certificates and Rings At MVS1 Shared RACF Database: SYS1.CS.CNTL(RACDDEL2) //****FOR SCENARIO 2 REKEYING/REFRESHING CA and Server CERTS ********* //* Deletes the student Server Key Rings from previous class * //* Deletes the student FTPServer Certificates from RACF Repository * //****** RERUN THE JOB RACDFTPX TO DO the FOLLOWING ************** //* Recreates student FTPServer Certificate with Expired Dates * //* Recreates the Server Key Rings and connects certificates * //********************************************************************* SYS1.CS.CNTL(RACDDEL4) //****FOR SCENARIO 4 REKEYING/REFRESHING CA and Server CERTS ********* //* Deletes the student Client Key Rings from previous class * //* Deletes the student Server Key Rings from previous class * //* Deletes the student FTPServer Certificates from RACF Repository * //* Deletes the old and rolled over CA Certificates (RACF Repository) * //* Recreates the CA Certificate which students later rollover * //* Recreates student FTPServer Certificate with Expired Dates * //* Recreates the Client Key Rings and connects certificates * //* Recreates the Server Key Rings and connects certificates * //********************************************************************* SYS1.CS.CNTL(RACDCLR2) //****FOR EXERCISE ON REKEYING/REFRESHING CA and Server CERTS ********** //* Creates INDIVIDUAL Client Rings with only CA connected to them * //*********** THE CLIENTS WILL NEED TO REFRESH THIS KEYRING ********** //*********** with a renewed and rekeyed certificate ********** //********************************************************************* 33

34 END OF LAB 12895: Rekeying and Renewing Your Expired Digital Certificates in RACF Hands-on Lab Intro Gwen Dente, IBM Advanced Technical Skills Tuesday, February 5, 2013: 09:30 AM - 10:30 AM, HIL, Union Square 23-24, Fourth Floor Session Number In this 1 st Document: Read Descriptions of 2 required Scenarios (pp. 9-12). Find your team s IPv4 interfaces and addresses (pp ). In the 2 nd Document: Lab starts on page 15 34